Bank-grade security & operations

Bank-Grade Security and Operations

When documents contain highly sensitive information, you can’t afford to take risks. Protecting your data is DocuSign’s top priority. That’s why we offer bank-grade security and operations. DocuSign’s comprehensive approach ensures the security, privacy, compliance, and enforceability of your DocuSign transactions.

Benefits of DocuSign’s bank-grade security

DocuSign's bank-grade security and operations deliver:

Unmatched compliance with security standards

DocuSign meets and exceeds the most stringent U.S. and global security standards. No other Digital Transaction Management (DTM) company can match the enterprise security and operations investments DocuSign has made—and third-party audit reports back it up. DocuSign is the only DTM provider to be ISO 27001-certified and SSAE 16-certified (SOC 1 and SOC 2) and internationally tested across the entire company and its data centers.

DocuSign is also a proponent of the xDTM Standardthe transaction management standard for an open, digital world—and a founding member of its Governing Board. The xDTM Standard helps organizations and consumers leverage the benefits of DTM to conduct online transactions without exposing them to the risks and consequences of using noncompliant technologies. Built on the dual concepts of trust and connectedness, the Standard includes specific, measurable thresholds for security, privacy, compliance, availability, and other critical elements. › Learn more

Document privacy

Only DocuSign provides full document encryption to ensure the privacy of your data. Documents stored in our ISO 27001 and SSAE 16 data centers are encrypted with the highest levels of encryption.

Only you and individuals authorized by your company have access to your documents. Your content stays private—including from DocuSign. Employees never have access to your content. Rest assured that your personal information is safe with DocuSign. Your data is your data. DocuSign will never sell your information. › Learn more

Highly secure access

Many of the world’s most stringent organizations, such as financial services, insurance, and healthcare companies, use DocuSign’s advanced authentication methods to validate the identity of all transacting parties. These methods include texting an SMS code to another device, answering "secret knowledge" questions, and using voice authorization.

Enforceability and non-repudiation of transactions

Our hashing algorithm verifies that documents have not been modified, and our PKI digital certificate technology secures documents and signatures with tamper-evident seals.

DocuSign's court-admissible, digitally signed, and tamper-evident Certificate of Completion contains a comprehensive audit trail that includes:

  • Signing parties’ names
  • Digital signatures
  • Email addresses
  • Public IP addresses
  • Signing location (if provided)
  • Chain of custody (sent, viewed, signed, etc.)
  • Timestamps

DocuSign is willing to attest to the validity of documents signed with our technology, allowing us to warrant compliance with the ESIGN Act—the only DTM company to do so. › Learn more

Delivering bank-grade security

Delivering bank-grade security involves a three-pronged approach, which incorporates people, processes, and platform, and which meets—or exceeds—the standards of even the most discerning enterprises.

Dedicated and experienced security team

DocuSign has invested heavily in a dedicated security team, made up of senior executives, including a Chief Risk Officer and Chief Information Security Officer. The team oversees DocuSign’s comprehensive security protocol and conducts mandatory, ongoing security training for all employees. DocuSign works closely with leading security experts to continually monitor the security landscape and to evolve our security strategy.

Best-in-class processes

DocuSign takes a thorough approach to governance, risk, and compliance, which ensures that all security policies and certifications are best-in-class. A security council regularly reviews all processes. Plus, fundamental physical security procedures, such as badges, cameras, and strict access controls, are complemented by technical security, which includes:

  • Robust endpoint security, including data leakage prevention and malware protection
  • Ongoing monitoring, defense, and incident response
  • Managed services for third parties, including a vendor security compliance program

Trusted platform

Each component of DocuSign's trusted platform undergoes tremendous security scrutiny.

Hardware and infrastructure

  • Three geo-dispersed, ISO 27001-certified and SSAE 16-audited data centers
  • Near real-time secure data replication and encrypted archival
  • Around-the-clock onsite security

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties
  • Application level Advanced Encryption Standard (AES) 256-bit encryption
  • Key management and encryption program

Systems and operations

  • Separate corporate and production networks (physically and logically)
  • Two-factor, encrypted virtual private network (VPN) access
  • Active 24/7 monitoring and alerting

Transmission and storage

  • Secure, private SSL 256-bit viewing session
  • Anti-tampering controls
  • Digital audit trails

Dedicated Trust Center

Only DocuSign maintains a Trust Center as a source for the latest security, system performance, and availability information: